Security Orchestration

Real Life Security Operations

During the last decade or so, most large organizations have built a Security Operations Center (SOC) to deal with ever-expanding security challenges and growing alert numbers. People, processes, and technology are the three pillars of an organization’s SOC. While responding to a security incident, SOC teams require all of the above in a complicated mix and match scenario to be successful. Failure to integrate people, processes, and technology can doom a security program.

What is Security Orchestration?

Security orchestration involves interweaving people, processes, and technology in the most effective manner to strengthen the security posture of an organization. By streamlining security processes, connecting disparate security tools and technologies, and maintaining the right balance of bot powered security automation and human intervention, security orchestration empowers security professionals to effectively and efficiently carry out threat hunting and incident response.

The Need for Security Automation and Orchestration

Over the past few years, the number of incidents which cyber security professionals must respond to has increased dramatically. Providing 100-percent coverage would require a sufficient number of analysts to evaluate that many incidents daily. Without adequate staffing, statistics have proven that the organization can be severely affected by incidents that security teams can’t address in time.

Given the current shortage of qualified cyber security professionals, however, few organizations can recruit and retain a large enough staff to deal with the volume of incidents that they face. Instead, companies are turning to security automation and orchestration to bolster their defenses.

Is Security Orchestration just a ‘sexy’ word for Security Automation?

Since it has become increasingly common in the industry to use the terms “security automation” and “security orchestration” interchangeably, we did some research with the goal of defining three different terms – “Security Automation”, “Security Orchestration” and “Security Workflow”. We sent a bunch of emails, made lots of phone calls to customers, prospects and colleagues, and read whatever material was available out there. What we found was quite interesting:

1

None of the customers and prospects clearly see the difference between security orchestration and security automation. They all understand the value that products in this space intend to deliver but the crowded market and the buzzword bingo that we are all part of result in a lot of confusion.

2

The Customers have different requirements or ‘wishes’ in this space. Some of these requirements are very well defined, but others are not indicating that a gap exists in what is available to them and what is needed.

3

Many cybersecurity professionals consider security orchestration as simply the latest buzzword for security automation or the latest phase of security automation. Security Automation is certainly part of the solution. However, security automation alone is not enough.

Security automation can provide complete visibility, triage events, connect the dots, and automate workflow processes. Effective automation of routine tasks increases the productivity of your staff members; automation is much more efficient than asking your people to handle tasks manually. But to do their jobs properly, analysts need a comprehensive, single-pane security orchestration platform to achieve the proper balance between human intuition and automation.

Makings of a True Security Orchestration Platform

A comprehensive Security Orchestration Platform should be able to automate security product tasks, create playbooks with complicated logic, and track and orchestrate tasks assigned to analysts. In reality, most of the vendors in this space have failed to deliver a solution that encompasses the whole of security operations. The reason is, it is not about simply automating individual security tasks, or about creating a playbook of security tasks with logic. It is about weaving the human analyst into the middle of these workflows and playbooks.

A security automation and orchestration platform must solve the challenges of detecting and responding to incidents. To do that effectively, it must have following components:

Case management

From creating the case to managing the workload, case management can shorten the MTTR (Mean Time to Respond). In addition the complete tracking of incident management process can help improve the process over time for consistent response.

Automation

Playbook orchestration can be used to handle mundane, repetitive tasks, including false positives. The automated playbooks can analyze threat data, and other playbooks can then be executed to proactively hunt for existing threats that are based on threat intelligence data.

Collaboration

Collaborative, interactive investigations can expedite response. Machine learning can give junior analysts a nudge in the right direction by suggesting a course of action or providing information on the senior analyst who is most qualified to help with a specific type of attack.

Postmortem activities

After an incident has been resolved, it is time to analyze the threat and the team's response. A security orchestration platform can help with the postmortem activities. For example, the system can provide detailed audit trails between detection and recovery. Other useful information can include insight on specific vulnerabilities that the attack exploited, and potential triggers for an attack. It is time we treat Security Operations with the same rigor that we treat operations in other areas if we want to win this cat and mouse race.

Security Automation and Orchestration: Budgeting and ROI

Today’s organizations spend a significant amount of time and money on ecosystem technologies that could help them reduce risk. However, these solutions run in silos and don’t move as a collective whole. Despite their efforts, measuring the effectiveness of a security system is often very hard from the perspective of the “business”.

As the number of security products continues to increase, CISOs will face an ever-changing list of vendors offering new takes on the world of cybersecurity. At the same time, CISOs are going to be held increasingly accountable for their purchases. CEOs, CFOs and most other C-suite executives want to see “hard numbers” that explain exactly what they are getting for the money they are spending. However, security does not lend itself to the metrics that are typically used to justify capital expenditures. Most of the benefits delivered by security products are intangible.

A security automation and orchestration platform serves as a hub that connects all security products. This allows a security scorecard to be built for incident response functions. CISOs can then use the scorecard to make informed decisions about budget allocations for various security products. The scorecard also provides valuable, organized information that can be used to justify expenditures or allocations to those who may need to issue the final approvals.

We use cookies to understand how you use our site and to improve your experience. This includes personalizing content and resources. By continuing to use our site, you accept our use of cookies. Learn more.